Business communications by regulated financial entities through personal messaging

The use of personal messaging applications (such as WhatsApp) by employees for business-related communications has become ubiquitous. Recent regulatory developments in the United States¹ and India² have highlighted the risks of such communications to companies that are subject to record-keeping requirements.

In the United States, the Securities and Exchange Commission (“SEC“) found a broker-dealer to be in violation of the record-keeping requirements³ to maintain and preserve communications made by its employees, both internally and externally, through personal text messages or other text messaging platforms such as WhatsApp. The broker-dealer agreed to pay a civil monetary penalty of $125,000,000 for this violation. In India, the Securities and Exchange Board of India (“SEBI“) found a research analyst to be in breach of the recordkeeping provisions under the SEBI (Research Analysts) Regulations, 2014, by failing to maintain records of recommendations/ calls made through WhatsApp/ email/ terminal. SEBI also found that the research analyst had failed to maintain complete records of rationale behind the recommendations given by its employee through social media.

Similar record-keeping obligations are imposed on other regulated entities as well. The use of personal communication devices or applications may increase the risk of compliance failure and invite regulatory action.

The above cases have highlighted only the record-keeping aspect of the use of personal communications devices/ applications. However, there are broader issues arising from such communications that have implications for all businesses and not just those that have regulatory record-keeping obligations. These include potential “platform” liability for hosting (or moderating) forums where sensitive information may be shared, security (including cyber-security) risks, risks of unauthorised use of proprietary or price sensitive data, privacy and confidentiality considerations, limitations on traceability or auditability of systems/ data and compliance with `discovery’ requests, and inability to respond to directions of regulatory/ investigative agencies to intercept or “take down” material.

Businesses, not limited to regulated entities, may consider the following steps to mitigate the risks arising from use of personal communication devices/ applications:

• Regulated entities should consider having policies for communications by employees that are consistent with record-keeping obligations and use technological solutions, which ensure that appropriate records of all business communication are maintained. Needless to say, technological solutions will need to be designed to enable compliance with applicable privacy laws and standards. Regulated entities may consider restricting business communications through emails recorded on the entities’ computer systems or through the uses of third-party platforms that enable appropriate data backups and audit logs to be maintained by the regulated entity.
• Based on their specific regulatory framework and business risks, businesses should consider framing/ updating policies for business communications by employees. Such policies should clearly distinguish between business communications/ records and other correspondence, define the primary mode of business communication (for example, official emails) and create a positive obligation on the employee to create a record in the official system (for example, by forwarding or carbon copying emails to the official email addresses) of all business communication on personal devices/ applications.
• In certain circumstances, regulated entities may also be able to classify specific types of activities and communication into categories based on the extent of regulated or sensitive material they involve. Based on this, it may be possible to enable less sensitive activities through third-party platforms or services, by entering into appropriate documentation, obtaining suitable consents and publishing documentation, while requiring that core communications take place only through owned platforms. Such classification is necessarily dynamic and evolving and enables a balance to be found between enabling easy communication and managing risk and regulatory obligations.
• Finally, regulated entities may conduct periodic compliance audits of such policies and procedures to ensure that record keeping obligations are adhered to in the regulated businesses.